Geslar logo
Geslar
4 min read

Why your AI agent should never see your passwords

AI agents now write code, pay bills and manage calendars. To do that, they need access to your accounts. Here's why access must never mean the agent SEES the password — and how we're building Geslar around that rule.

What happens when an agent "sees" a password
AI agents are no longer a toy. People let them write code, sort email, book appointments, even pay subscriptions. And every one of those tasks eventually hits the same wall: the agent needs a password, an API key or a token to actually get something done.

That's where a problem most people don't see yet begins.

Large language models work by folding everything you give them into their working context — the text they reason over. When you paste a password to an agent, it doesn't go "into a safe". It sits in that context, alongside everything else the agent reads: web pages, documents, other people's messages.

That's dangerous for three reasons:
1. Prompt injection
An attacker doesn't need to hack you — they just need to leave text somewhere your agent will read it. A malicious instruction hidden in a web page, a README or an email can talk the agent into "helpfully" forwarding everything it knows. Including your password, if it's in context. This isn't theoretical: prompt injection has topped OWASP's risk list for AI applications for years, precisely because there is still no reliable defence.
2. No revocation
Once a secret enters an agent's context, there is no "forget" button. It can end up in logs, in conversation history, in the next reply.
3. Agents are unpredictable
Paradoxically, that's their main virtue — it's why you use one. But a system you trust with secrets must be predictable. You don't reconcile those two by hoping for the best; you reconcile them by making sure the secret never reaches the unpredictable part of the system.
The industry just split into two camps
During 2026, every major password manager shipped some kind of AI integration. But look at how, and you'll see two completely different philosophies.
One camp hands the agent the passwords: the tool returns a password or a 2FA code straight into the agent's context. Convenient? Yes. Safe? The makers of those integrations themselves recommend using them only with a locally hosted AI model — which is a rather loud admission of the problem.
The other camp says: the agent may orchestrate, but must never see. The agent says "run the app with its secrets", and the password manager injects the values directly into the program that needs them — in memory, only while it runs. The agent gets confirmation the job is done. The value never passes through it.
At Geslar, we have no dilemma about which camp is right.
Our five rules
This is the doctrine we're building Geslar's AI access on — published before the feature ships, because rules come before code:
1. A secret never enters the AI context
The agent orchestrates; the value travels only into the program that needs it, in memory, while it runs.
2. Every access is approved
You approve what, for how long and why — and the agent must state a reason with every request.
3. Least privilege, limited time
Access applies to a specific item, for a set time, revocable in a second.
4. Everything is on the record
Who accessed what, when, under which authorization and why — a record fit for internal checks and audits alike (yes, including NIS2).
5. Local stays local
Decryption happens exclusively on your device. Our servers never see your keys — and AI changes that by exactly nothing. More on this in our zero-knowledge architecture.
What we're building
On this doctrine we're developing Geslar Agentic Access: a tool that lets your AI assistant (Claude, Cursor and others) start an application, set up a project or complete a task that requires secrets — without ever seeing a single one. Config files hold only safe references (geslar://Work/Stripe/key), values are injected only at the moment of execution, and every access is logged.
For companies it means something bigger: for the first time you can let AI tools into your team and show an auditor the exact record of every credential access — who, what, when, why.
The feature is in development. The doctrine, as you can see, is already published — feel free to hold us to it.

Questions about using AI agents safely? Write to us — this is a conversation we want to have.

Geslar — your data, your control. Free.

Download Geslar →

Author
Daniel Legin
Daniel Legin builds Geslar — a free password generator and manager made in Croatia.
More about Geslar →